Patch Tuesday: 80+ vulnerabilities fixed, one exploited in the wild

As part of its regular, monthly Patch Tuesday update, Microsoft has released patches for 81 new vulnerabilities, including a zero-day in the .NET Framework.

The September patch dump also includes details of a spoofing vulnerability in the Windows Bluetooth driver (CVE-2017-8628), which has been disclosed as part of the BlueBorne batch of vulnerabilities. The flaw was apparently patched silently in July, but Microsoft chose to delay releasing details about it until other vendors could develop and release updates.

A zero-day exploited to deliver FinSpy

Among the patched vulnerabilities is one that has been spotted being exploited in the wild. The discovery was made by FireEye researchers, after they detected a malicious Microsoft Office RTF document that leveraged it.

CVE-2017-8759, a flaw in the Microsoft .NET Framework, was used in limited targeted attacks, to deliver the FinSpy malware, sold by Germany-based Gamma Group.

“FINSPY malware, also reported as FinFisher or WingBird, is available for purchase as part of a ‘lawful intercept’ capability. Based on this and previous use of FINSPY, we assess with moderate confidence that this malicious document was used by a nation-state to target a Russian-speaking entity for cyber espionage purposes,” FireEye researchers shared.

“Additional detections by FireEye’s Dynamic Threat Intelligence system indicates that related activity, though potentially for a different client, might have occurred as early as July 2017.”

“The CVE-2017-8759 vulnerability can allow remote code execution after users open a spam email, and double-click on an untrusted attachment and disable the Microsoft Office Protected View mode, Microsoft explained. “The exploit uses Microsoft Word as the initial vector to reach the real vulnerable component, which is not related to Microsoft Office and which is responsible for certain SOAP-rendering functionalities through .NET classes.”

Other important patches

The update contains patches for two more publicly disclosed flaws: a Device Guard security feature bypass vulnerability (CVE-2017-8746), and a remote code execution vulnerability in the Broadcom chipsets used in HoloLens (CVE-2017-9417). An exploit for the latter is already public.

“Top priority for patching should go to CVE-2017-0161, an RCE vulnerability in NetBIOS that impacts both servers and workstations. For users of Microsoft’s DHCP server, priority should also be given to CVE-2017-8686, especially if using failover mode, due to another potential RCE,” noted Jimmy Graham, Director of Product Management at Qualys.

“Out of the 26 vulnerabilities that are both Critical and RCE, 22 of them impact Microsoft’s browsers. Many of these vulnerabilities involve the Scripting Engine, which can impact both browsers and Microsoft Office, and should be considered for prioritizing for workstation-type systems that use email and access the internet via a browser.”